Tuesday, July 3, 2007

Information Security Policy 101 – Introduction to Information Security Policy

Information security policy is arguably the single most important component of an information security program. Most information security personnel understand and agree that information security is a discipline based on a lifecycle. The goal of the lifecycle is the continuous improvement of an organization’s information security posture in terms of reduced risk.

“Information security is NOT a destination, but a continuous cycle”

As you can see in the conceptual diagram, information security policy is at the core. All other components of the lifecycle are dependent upon policy.

Information Security Policy Defined
Great, I understand where policy fits within a greater information security program, but what is “information security policy”? Great question! We should probably answer this before we embark on the creation of our own! Information security policy is:

A series of statements that accurately represent the views and expectations of management with respect to the protection of information assets employed by the organization.

Sound good? Yeah maybe, but let’s elaborate a little:

“A series of statements” – The statements are meant to be short, easily understood, broad and not relevant to minute details. Details are typically mentioned in supporting documentation such as guidelines, standards and procedures.

“that accurately represent the views and expectations of management” – This means that we must involve management. Typically management does not know what an information security policy should say so a dialog will need to be opened between information security personnel and management. We will dig deeper into this later.

“with respect to the protection of information assets” – Protection of the confidentiality, integrity and availability of information.

“employed by the organization.” – The keyword is “employed” not be confused with “owned”.

Every company needs security policy
The things that seem obvious to information security personnel may not be so obvious to “normal” people.

“Why do we need a policy?” Well written information security policy provides the foundation to an information security program and helps to ensure consistency, enforceability, organization, and cost-effectiveness of the information security program.

Management involvement
After writing nearly 100 policies over the years I can boldly say that writing policy is the easy part. Most good policies can be written in less than a month. Getting management endorsement and final approval averages 4-6 months.

Note: “Management” refers to C-level executives in many companies, i.e. CEO, CIO, CSO, COO, CFO, etc.

Some tips:
  • Management involvement and endorsement is critical. Without management endorsement, the information security policy is worthless.
  • Get management involved as early and regularly in the process as possible.
  • Understand that management is typically more “revenue focused” and security does not generate revenue. This requires some selling on the part of information security personnel.
  • Management probably understands that there is a need to protect information but do not understand how to go about it.
  • Do NOT be intimidated. Management wants to do the right thing.

Next in the series – “Information Security Policy 101 – Assess the Business”

Previous: Information Security Policy 101

No comments: